Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

The rules of my security group default not work in the Havana Openstack

Good afternoon everybody, How are you? I hope you are fine.

I'm new in the new openstack world. My first step was install the Openstack on the computers with ubuntu following the tutorial found in the http://docs.openstack.org/havana/install-guide/install/apt/content/. Also I use the openvswitch.

After verify if the services are actives and enable, I created one external network, a networks with subnet, both of them connected a one router, further I set the gateway to the router on the external network (following the example in the docs.openstack). By the other hand, I launch one VM and associate a flooting IP the external network, further verify the connectivity between the router, the VM and the DHCP, all of them work well. After I try to ping the floating IP from the other computer, external the testbed, and that my surprise that i can ping. I supposed that not possible because don't exists rules about this traffic. Thus I verified the security groups rules and found the group Default with 4 rules that allowing access the traffic IPv4 and IPv6 (eggress and ingress). I guessed this rules are responsible for ensure the connectivity between openstack and VMs. But anyway delete this rules and try the ping again from the external PC and the ping work again.

The configuration about nova.conf, nova-compute conf and neutron_plugin_ovs are:

nova.conf:

[DEFAULT] dhcpbridge_flagfile=/etc/nova/nova.conf dhcpbridge=/usr/bin/nova-dhcpbridge logdir=/var/log/nova state_path=/var/lib/nova lock_path=/var/lock/nova force_dhcp_release=True iscsi_helper=tgtadm libvirt_use_virtio_for_bridges=True connection_type=libvirt root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf verbose=True ec2_private_dns_show_ip=True api_paste_config=/etc/nova/api-paste.ini volumes_path=/var/lib/nova/volumes enabled_apis=ec2,osapi_compute,metadata

Network Settings

network_api_class=nova.network.neutronv2.api.API neutron_url=http://controller:9696 neutron_auth_strategy=keystone neutron_admin_tenant_name=service neutron_admin_username=neutron neutron_admin_password=password neutron_admin_auth_url=http://controller:35357/v2.0 libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver linuxnet_interface_driver=nova.network.linux_net.LinuxOVSInterfaceDriver firewall_driver = nova.virt.firewall.NoopFirewallDriver security_group_api=neutron

nova-compute.conf

[DEFAULT] libvirt_type=kvm compute_driver=libvirt.LibvirtDriver

ovs_neutron plugin:

[securitygroup]

Firewall driver for realizing neutron security group function.

firewall_driver = neutron.agent.firewall.NoopFirewallDriver

Example:

firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

Thanks an advance. Sorry for bother you.

Best Regards, Rafael.

The rules of my security group default not work in the Havana Openstack

Good afternoon everybody, How are you? I hope you are fine.

I'm new in the new openstack world. My first step was install the Openstack on the computers with ubuntu following the tutorial found in the http://docs.openstack.org/havana/install-guide/install/apt/content/. Also I use the openvswitch.

After verify if the services are actives and enable, I created one external network, a networks with subnet, both of them connected a one router, further I set the gateway to the router on the external network (following the example in the docs.openstack). By the other hand, I launch one VM and associate a flooting IP the external network, further verify the connectivity between the router, the VM and the DHCP, all of them work well. After I try to ping the floating IP from the other computer, external the testbed, and that my surprise that i can ping. I supposed that not possible because don't exists rules about this traffic. Thus I verified the security groups rules and found the group Default with 4 rules that allowing access the traffic IPv4 and IPv6 (eggress and ingress). I guessed this rules are responsible for ensure the connectivity between openstack and VMs. But anyway delete this rules and try the ping again from the external PC and the ping work again.

The configuration about nova.conf, nova-compute conf and neutron_plugin_ovs are:

nova.conf:

[DEFAULT]
dhcpbridge_flagfile=/etc/nova/nova.conf
dhcpbridge=/usr/bin/nova-dhcpbridge
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
force_dhcp_release=True
iscsi_helper=tgtadm
libvirt_use_virtio_for_bridges=True
connection_type=libvirt
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
verbose=True
ec2_private_dns_show_ip=True
api_paste_config=/etc/nova/api-paste.ini
volumes_path=/var/lib/nova/volumes
enabled_apis=ec2,osapi_compute,metadata

Network Settings

enabled_apis=ec2,osapi_compute,metadata #Network Settings network_api_class=nova.network.neutronv2.api.API neutron_url=http://controller:9696 neutron_auth_strategy=keystone neutron_admin_tenant_name=service neutron_admin_username=neutron neutron_admin_password=password neutron_admin_auth_url=http://controller:35357/v2.0 libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver linuxnet_interface_driver=nova.network.linux_net.LinuxOVSInterfaceDriver firewall_driver = nova.virt.firewall.NoopFirewallDriver security_group_api=neutron

security_group_api=neutron

nova-compute.conf

[DEFAULT]
libvirt_type=kvm
compute_driver=libvirt.LibvirtDriver

compute_driver=libvirt.LibvirtDriver

ovs_neutron plugin:

[securitygroup]

[securitygroup]
# Firewall driver for realizing neutron security group function.

function. # firewall_driver = neutron.agent.firewall.NoopFirewallDriver

Example:

neutron.agent.firewall.NoopFirewallDriver # Example: firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

Thanks an advance. Sorry for bother you.

Best Regards, Rafael.

click to hide/show revision 3
No.3 Revision

The rules of my Default Neutron security group default not work in the Havana Openstackis ineffective

Good afternoon everybody, How are you? I hope you are fine.

I'm new in the new openstack world. My first step was install the Openstack on the computers with ubuntu following the tutorial found in the http://docs.openstack.org/havana/install-guide/install/apt/content/. Also I use the openvswitch.

After verify if the services are actives and enable, I created one external network, a networks with subnet, both of them connected a one router, further I set the gateway to the router on the external network (following the example in the docs.openstack). By the other hand, I launch one VM and associate a flooting IP the external network, further verify the connectivity between the router, the VM and the DHCP, all of them work well. After I try to ping the floating IP from the other computer, external the testbed, and that my surprise that i can ping. I supposed that not possible because don't exists rules about this traffic. Thus I verified the security groups rules and found the group Default with 4 rules that allowing access the traffic IPv4 and IPv6 (eggress and ingress). I guessed this rules are responsible for ensure the connectivity between openstack and VMs. But anyway delete this rules and try the ping again from the external PC and the ping work again.

The configuration about nova.conf, nova-compute conf and neutron_plugin_ovs are:

nova.conf:

[DEFAULT]
dhcpbridge_flagfile=/etc/nova/nova.conf
dhcpbridge=/usr/bin/nova-dhcpbridge
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
force_dhcp_release=True
iscsi_helper=tgtadm
libvirt_use_virtio_for_bridges=True
connection_type=libvirt
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
verbose=True
ec2_private_dns_show_ip=True
api_paste_config=/etc/nova/api-paste.ini
volumes_path=/var/lib/nova/volumes
enabled_apis=ec2,osapi_compute,metadata


#Network Settings

network_api_class=nova.network.neutronv2.api.API
neutron_url=http://controller:9696
neutron_auth_strategy=keystone
neutron_admin_tenant_name=service
neutron_admin_username=neutron
neutron_admin_password=password
neutron_admin_auth_url=http://controller:35357/v2.0
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
linuxnet_interface_driver=nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api=neutron

nova-compute.conf

[DEFAULT]
libvirt_type=kvm
compute_driver=libvirt.LibvirtDriver

ovs_neutron plugin:

[securitygroup]
# Firewall driver for realizing neutron security group function.
# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
# Example: 
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

Thanks an advance. Sorry for bother you.

Best Regards, Rafael.